build(security): hash-pin pip installs, corepack pnpm, digest-pin ruby image, dependabot docker#163
Merged
Merged
Conversation
…y image, dependabot docker
OpenSSF Scorecard Pinned-Dependencies sweep (currently 6/10):
- New requirements/{pip,debugpy}.txt pin pip==25.0.1 and debugpy==1.8.14
by sha256 (every published wheel + sdist, so one file serves Linux,
Windows and macOS). All CI/workflow/container pip installs switch to
'pip install --require-hashes -r ...': ci.yml (both jobs),
release.yml build-and-test, Dockerfile, docker/test-ubuntu.dockerfile.
- Dockerfile installs pnpm via 'corepack enable && corepack prepare
pnpm@10.33.0 --activate' instead of 'npm install -g' (corepack ships
with the node base image and integrity-checks the activated version).
- examples/ruby/remote-attach/Dockerfile: FROM ruby:3.3-slim pinned by
manifest-list digest.
- dependabot.yml gains a docker ecosystem entry (/, /docker,
/examples/ruby/remote-attach) so digest pins do not rot.
- scripts/install-claude-mcp.sh and scripts/sync-to-wsl.sh used
'npm install', which cannot resolve this repo's workspace:* protocol;
switched to 'pnpm install --frozen-lockfile' (correctness + pinning).
Left as-is (documented decision): the twine/build/tomlkit installs in
release.yml pypi-publish and validate-secrets.yml -- their transitive
closures are platform-dependent and --require-hashes would need a full
pip-compile lockfile; not worth the release-pipeline risk for the last
2 warn lines.
Validated in the pinned images: corepack activation in node:22-slim and
--require-hashes debugpy install in ubuntu:24.04 both succeed; ruby
digest resolves to the multi-arch manifest list.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
OpenSSF Scorecard Pinned-Dependencies sweep (currently 6/10 with 14 warn lines):
requirements/pip.txt+requirements/debugpy.txt— pinpip==25.0.1anddebugpy==1.8.14by sha256 (every published wheel + sdist, so one file serves Linux/Windows/macOS). All pip installs switch to--require-hashes:ci.yml(both jobs),release.ymlbuild-and-test,Dockerfile,docker/test-ubuntu.dockerfile.requirements/README.mddocuments the update procedure.corepack enable && corepack prepare pnpm@10.33.0 --activate) instead ofnpm install -g— corepack ships in the node base image and integrity-checks the activated version.examples/ruby/remote-attach/Dockerfile:ruby:3.3-slimpinned by manifest-list digest.dockerecosystem added (/,/docker,/examples/ruby/remote-attach) so digest pins don't rot.scripts/install-claude-mcp.sh/scripts/sync-to-wsl.sh: replacednpm install(which can't resolve this repo'sworkspace:*protocol at all) withpnpm install --frozen-lockfile.Deliberately left unpinned-by-hash: the twine/build/tomlkit installs in
release.ymlpypi-publish andvalidate-secrets.yml— platform-dependent transitive closures would need a full pip-compile lockfile; not worth release-pipeline risk for the last 2 warn lines.Verification
pip install --require-hashes --dry-runpasses locally (Windows wheel path).node:22-slim@7af03b…;--require-hashesdebugpy install + import verified inubuntu:24.04@84e77d…with distro pip.docker manifest inspectconfirms the ruby digest resolves to the multi-arch manifest list.🤖 Generated with Claude Code